Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image To Video Explicit Ai
v1.0.0Turn a single character illustration or photo into 1080p animated video clips just by typing what you need. Whether it's converting adult images into animate...
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (image → video, including explicit adult content) aligns with the instructions to upload images and call a cloud rendering API that returns MP4s. However the SKILL.md metadata requests a configuration path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an inconsistency in declared surface area. The skill's source/homepage are unknown, which increases the risk of relying on an external service without provenance.
Instruction Scope
The runtime instructions tell the agent to: check NEMO_TOKEN, and if missing generate a UUID and call an external anonymous-auth endpoint to create a token; create sessions, upload local files (multipart) or URLs, and poll render endpoints. These actions necessarily transmit user images (including explicit content) to an external domain. The instructions also direct the agent to derive an attribution header by probing the agent's install path (fingerprinting the environment). Those behaviors go beyond simple local processing and have clear privacy/exfiltration risk; they are coherent with the stated purpose but raise concerns about unintended data disclosure and environment fingerprinting.
Install Mechanism
No install spec and no code files are present (instruction-only). That reduces surface risk from arbitrary downloaded code, but it also means there is no inspectable client implementation; runtime behavior depends wholly on the agent following these instructions to contact the external API.
Credentials
The skill only needs a single credential (NEMO_TOKEN), which is appropriate for a cloud API. However the SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) that is not declared in the registry metadata — inconsistent. The skill also instructs the agent to produce an anonymous token if NEMO_TOKEN is absent, which is logical but means the skill will unilaterally create and store credentials and will upload user-provided files to a remote service. These actions are proportionate for the stated function but carry privacy and credential-handling implications that users should understand.
Persistence & Privilege
always: false and the skill does not request special system privileges. It instructs keeping a session_id for the session lifecycle (normal). No instructions to modify other skills or global agent configuration were found.
What to consider before installing
This skill will upload any images you give it (including explicit adult images) to an external service at mega-api-prod.nemovideo.ai and will create or use a NEMO_TOKEN credential for that service. There is no installable client to inspect and the skill's origin/homepage are unknown. Before installing: (1) only use it with images you are comfortable uploading to a third party; (2) do not upload images of minors or anything you are not legally allowed to share; (3) be aware the skill may fingerprint your environment (it derives a platform header from install paths) and will create anonymous tokens if none are provided; (4) prefer skills with a known source or an inspectable client; (5) if you must proceed, verify the remote domain and its privacy/terms, and avoid setting persistent credentials unless you trust the service.Like a lobster shell, security has layers — review code before you run it.
latestvk977rzsd2aht3zm1wd924x1v8n84sk54
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN